1apiVersion: apps/v1
2kind: StatefulSet
3metadata:
4 name: web
5 namespace: emojivoto
6spec:
7 replicas: 1
8 selector:
9 matchLabels:
10 app: web-svc
11 serviceName: ""
12 template:
13 metadata:
14 annotations:
15 linkerd.io/created-by: linkerd/cli dev-undefined
16 linkerd.io/proxy-version: test-inject-proxy-version
17 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
18 labels:
19 app: web-svc
20 linkerd.io/control-plane-ns: linkerd
21 linkerd.io/proxy-statefulset: web
22 linkerd.io/workload-ns: emojivoto
23 spec:
24 containers:
25 - env:
26 - name: _pod_name
27 valueFrom:
28 fieldRef:
29 fieldPath: metadata.name
30 - name: _pod_ns
31 valueFrom:
32 fieldRef:
33 fieldPath: metadata.namespace
34 - name: _pod_nodeName
35 valueFrom:
36 fieldRef:
37 fieldPath: spec.nodeName
38 - name: LINKERD2_PROXY_LOG
39 value: warn,linkerd=info,trust_dns=error
40 - name: LINKERD2_PROXY_LOG_FORMAT
41 value: plain
42 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
43 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
44 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
45 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
46 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
47 value: linkerd-policy.linkerd.svc.cluster.local.:8090
48 - name: LINKERD2_PROXY_POLICY_WORKLOAD
49 value: |
50 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
51 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
52 value: all-unauthenticated
53 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
54 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
55 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
56 value: 3s
57 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
58 value: 5m
59 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
60 value: 1h
61 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
62 value: 100ms
63 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
64 value: 1000ms
65 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
66 value: 5s
67 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
68 value: 90s
69 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
70 value: '[::]:4190'
71 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
72 value: '[::]:4191'
73 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
74 value: 127.0.0.1:4140
75 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
76 value: 127.0.0.1:4140
77 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
78 value: '[::]:4143'
79 - name: LINKERD2_PROXY_INBOUND_IPS
80 valueFrom:
81 fieldRef:
82 fieldPath: status.podIPs
83 - name: LINKERD2_PROXY_INBOUND_PORTS
84 value: "80"
85 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
86 value: svc.cluster.local.
87 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
88 value: 10000ms
89 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
90 value: 10000ms
91 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
92 value: 10s
93 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
94 value: 3s
95 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
96 value: 10s
97 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
98 value: 3s
99 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
100 value: 25,587,3306,4444,5432,6379,9300,11211
101 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
102 value: |
103 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
104 - name: _pod_sa
105 valueFrom:
106 fieldRef:
107 fieldPath: spec.serviceAccountName
108 - name: _l5d_ns
109 value: linkerd
110 - name: _l5d_trustdomain
111 value: cluster.local
112 - name: LINKERD2_PROXY_IDENTITY_DIR
113 value: /var/run/linkerd/identity/end-entity
114 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
115 value: |
116 -----BEGIN CERTIFICATE-----
117 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
118 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
119 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
120 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
121 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
122 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
123 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
124 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
125 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
126 vgUC0d2/9FMueIVMb+46WTCOjsqr
127 -----END CERTIFICATE-----
128 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
129 value: /var/run/secrets/tokens/linkerd-identity-token
130 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
131 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
132 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
133 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
134 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
135 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
136 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
137 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
138 - name: LINKERD2_PROXY_POLICY_SVC_NAME
139 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
140 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
141 imagePullPolicy: IfNotPresent
142 lifecycle:
143 postStart:
144 exec:
145 command:
146 - /usr/lib/linkerd/linkerd-await
147 - --timeout=2m
148 - --port=4191
149 livenessProbe:
150 httpGet:
151 path: /live
152 port: 4191
153 initialDelaySeconds: 10
154 timeoutSeconds: 1
155 name: linkerd-proxy
156 ports:
157 - containerPort: 4143
158 name: linkerd-proxy
159 - containerPort: 4191
160 name: linkerd-admin
161 readinessProbe:
162 httpGet:
163 path: /ready
164 port: 4191
165 initialDelaySeconds: 2
166 timeoutSeconds: 1
167 securityContext:
168 allowPrivilegeEscalation: false
169 readOnlyRootFilesystem: true
170 runAsNonRoot: true
171 runAsUser: 2102
172 seccompProfile:
173 type: RuntimeDefault
174 terminationMessagePolicy: FallbackToLogsOnError
175 volumeMounts:
176 - mountPath: /var/run/linkerd/identity/end-entity
177 name: linkerd-identity-end-entity
178 - mountPath: /var/run/secrets/tokens
179 name: linkerd-identity-token
180 - env:
181 - name: WEB_PORT
182 value: "80"
183 - name: EMOJISVC_HOST
184 value: emoji-svc.emojivoto:8080
185 - name: VOTINGSVC_HOST
186 value: voting-svc.emojivoto:8080
187 - name: INDEX_BUNDLE
188 value: dist/index_bundle.js
189 image: buoyantio/emojivoto-web:v10
190 name: web-svc
191 ports:
192 - containerPort: 80
193 name: http
194 initContainers:
195 - args:
196 - --ipv6=false
197 - --incoming-proxy-port
198 - "4143"
199 - --outgoing-proxy-port
200 - "4140"
201 - --proxy-uid
202 - "2102"
203 - --inbound-ports-to-ignore
204 - 4190,4191,4567,4568
205 - --outbound-ports-to-ignore
206 - 4567,4568
207 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
208 imagePullPolicy: IfNotPresent
209 name: linkerd-init
210 resources:
211 limits:
212 cpu: 100m
213 memory: 20Mi
214 requests:
215 cpu: 100m
216 memory: 20Mi
217 securityContext:
218 allowPrivilegeEscalation: false
219 capabilities:
220 add:
221 - NET_ADMIN
222 - NET_RAW
223 privileged: false
224 readOnlyRootFilesystem: true
225 runAsGroup: 65534
226 runAsNonRoot: true
227 runAsUser: 65534
228 seccompProfile:
229 type: RuntimeDefault
230 terminationMessagePolicy: FallbackToLogsOnError
231 volumeMounts:
232 - mountPath: /run
233 name: linkerd-proxy-init-xtables-lock
234 volumes:
235 - emptyDir: {}
236 name: linkerd-proxy-init-xtables-lock
237 - emptyDir:
238 medium: Memory
239 name: linkerd-identity-end-entity
240 - name: linkerd-identity-token
241 projected:
242 sources:
243 - serviceAccountToken:
244 audience: identity.l5d.io
245 expirationSeconds: 86400
246 path: linkerd-identity-token
247---
View as plain text